HIPAA Blog

[ Tuesday, March 17, 2009 ]

More from the Stimulus Bill: There are also changes in HIPAA enforcement. Depending on how you look at it, this could be good; or bad.

Improved Enforcement. There was some confusion whether an employee of a covered entity could be subject to HIPAA criminal penalties. Normally, an employee does not personally meet the definition of a covered entity, and the Department of Justice had released an internal memorandum noting that employees would generally not be subject to prosecution for HIPAA violations; however, most if not all of the federal criminal cases that resulted in convictions for HIPAA violations involved employees who arguably did not meet the definition of a “covered entity.” This possible loophole has now been closed, and employees who wrongfully use or disclose PHI may be prosecuted for a HIPAA violation. Additionally, “willful neglect” is now a potential HIPAA violation. Individuals who were harmed by a wrongful disclosure may now be able to receive a part of any civil monetary penalty recovered for a HIPAA violation, with an increase in possible financial penalties for HIPAAviolations. More importantly, ARRA now specifically authorizes attorneys general from all of the states to independently pursue HIPAA violations that occur in their states.

The employees who violate HIPAA can be prosecuted, so their employers, if they toe the line, probably are more in the clear. What is scary here is that we might be looking at up to 57 different interpretations of what some provision of HIPAA means. AGs can go on witchhunts, so this provision might make for some bad, as well as inconsistent, law.